Total
334 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-7722 | 1 Nodee-utils Project | 1 Nodee-utils | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package nodee-utils are vulnerable to Prototype Pollution via the deepSet function. | |||||
| CVE-2020-7719 | 1 Locutus | 1 Locutus | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function. | |||||
| CVE-2020-7702 | 1 Templ8 Project | 1 Templ8 | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package templ8 are vulnerable to Prototype Pollution via the parse function. | |||||
| CVE-2020-7720 | 1 Digitalbazaar | 1 Forge | 2024-02-28 | 7.5 HIGH | 7.3 HIGH |
| The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions. | |||||
| CVE-2020-7600 | 1 Querymen Project | 1 Querymen | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| querymen prior to 2.1.4 allows modification of object properties. The parameters of exported function handler(type, name, fn) can be controlled by users without any sanitization. This could be abused for Prototype Pollution attacks. | |||||
| CVE-2020-7715 | 1 Deep-get-set Project | 1 Deep-get-set | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package deep-get-set are vulnerable to Prototype Pollution via the main function. | |||||
| CVE-2020-7724 | 1 Tiny-conf Project | 1 Tiny-conf | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package tiny-conf are vulnerable to Prototype Pollution via the set function. | |||||
| CVE-2020-7701 | 1 Springtree | 1 Madlib-object-utils | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| madlib-object-utils before 0.1.7 is vulnerable to Prototype Pollution via setValue. | |||||
| CVE-2020-12079 | 1 Beakerbrowser | 1 Beaker | 2024-02-28 | 7.5 HIGH | 10.0 CRITICAL |
| Beaker before 0.8.9 allows a sandbox escape, enabling system access and code execution. This occurs because Electron context isolation is not used, and therefore an attacker can conduct a prototype-pollution attack against the Electron internal messaging API. | |||||
| CVE-2020-7703 | 1 Nis-utils Project | 1 Nis-utils | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of package nis-utils are vulnerable to Prototype Pollution via the setValue function. | |||||
| CVE-2020-8203 | 2 Lodash, Oracle | 18 Lodash, Banking Corporate Lending Process Management, Banking Credit Facilities Process Management and 15 more | 2024-02-28 | 5.8 MEDIUM | 7.4 HIGH |
| Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. | |||||
| CVE-2020-7618 | 1 Sds Project | 1 Sds | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| sds through 3.2.0 is vulnerable to Prototype Pollution.The library could be tricked into adding or modifying properties of the 'Object.prototype' by abusing the 'set' function located in 'js/set.js'. | |||||
| CVE-2020-7644 | 1 Fun-map Project | 1 Fun-map | 2024-02-28 | 6.8 MEDIUM | 8.1 HIGH |
| fun-map through 3.3.1 is vulnerable to Prototype Pollution. The function assocInM could be tricked into adding or modifying properties of 'Object.prototype' using a '__proto__' payload. | |||||
| CVE-2019-17317 | 1 Sugarcrm | 1 Sugarcrm | 2024-02-28 | 6.5 MEDIUM | 7.2 HIGH |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP object injection in the UpgradeWizard module by an Admin user. | |||||
| CVE-2019-10806 | 1 Vega Project | 1 Vega | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| vega-util prior to 1.13.1 allows manipulation of object prototype. The 'vega.mergeConfig' method within vega-util could be tricked into adding or modifying properties of the Object.prototype. | |||||
| CVE-2019-19919 | 2 Handlebars.js Project, Tenable | 2 Handlebars.js, Tenable.sc | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads. | |||||
| CVE-2019-10768 | 1 Angularjs | 1 Angular.js | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload. | |||||
| CVE-2020-8116 | 1 Dot-prop Project | 1 Dot-prop | 2024-02-28 | 7.5 HIGH | 7.3 HIGH |
| Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects. | |||||
| CVE-2019-10808 | 1 Xcritical.software | 1 Utilitify | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| utilitify prior to 1.0.3 allows modification of object properties. The merge method could be tricked into adding or modifying properties of the Object.prototype. | |||||
| CVE-2019-16328 | 1 Rpyc Project | 1 Rpyc | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify object attributes to construct a remote procedure call that executes code for an RPyC service with default configuration settings. | |||||